Security & Data Philosophy

What we store, what we don't, and why. Transparency is the foundation of trust in trade compliance.

What We Store

Account Information

Email, API keys, subscription tier, and usage counts for billing. Standard for any SaaS platform.

Analysis Results

When you run an analysis, TTI stores the structured result: HS code, duty rates, policy snapshot, and classification rationale. This allows you to re-export compliance records from your account. You can request deletion at any time.

API Logs

Request metadata (endpoint, timestamp, response code) retained for debugging and billing reconciliation. No request bodies stored in logs.

🔒

What We Never Store

Source documents are never stored. When you upload an invoice or certificate, TTI processes it in memory, extracts the structured data, returns the result, and discards the source file. We cannot replay your documents because we do not have them.

AI providers never retain your data. Product descriptions sent to Anthropic and Google for classification are processed for the duration of the request only. No subscriber identifiers are included. These providers do not use customer data for model training.

Compliance Export

Every analysis tool includes a Download Report button that generates your compliance CSV directly in your browser from the analysis response. No server round-trip required. The export contains the classification rationale, duty stack, policy basis, and timestamp. That document is yours to keep, and it is the audit artifact your broker defends.

Enterprise Infrastructure

Hosting

Vercel

  • SOC 2 Type II
  • ISO 27001
  • DDoS protection

Database

Supabase

  • SOC 2 Type II
  • Encrypted at rest
  • ca-central-1, Canada

AI Processing

Anthropic + Google via OpenRouter

  • SOC 2 Type II (Anthropic)
  • No training on customer data
  • Stateless requests, no retention

Data Residency

All personal data and analysis results are stored in Canada (ca-central-1). Canada holds an adequacy decision under EU GDPR (Article 45) and UK GDPR, meaning data transfers from the EU/EEA/UK to Canada do not require Standard Contractual Clauses or additional transfer mechanisms.

Compliance

Compliant

GDPR

Canadian entity with Canadian data residency. Canada holds UK/EU GDPR adequacy status under Article 45. Data deletion on request.

Compliant

CCPA

We do not sell personal information. Data export and deletion on request.

In Progress

SOC 2

Certification planned for 2026. Current controls align with Type I requirements.

Data Deletion

You can request deletion of your account and all associated analysis results at any time by contacting privacy@triangle-trade-intel.site. Accounts marked for deletion are purged within 30 days. Source documents are never stored and require no deletion.

Security Inquiries

For security reviews, DPA requests, or vulnerability reports:

security@triangle-trade-intel.siteSecurity and vulnerability reportssecurity@triangle-trade-intel.siteDPA requests and compliance documentation
View Full Subprocessor List

Source documents discarded. Analysis results exportable and deletable. Canadian data residency.

Get StartedSubprocessor List